According to International Airlines Group (IAG), owner of British Airways, since its announcement on September 6 that up to 380,000 customers may have had their personal data, including credit card details, compromised, further investigation of the incident has revealed the possibility that an additional 180,000 customers’ data may also have been compromised. At the same time, they have reduced their estimate of initial numbers to 244,000, making the overall total of affected customers 424,000.
While British Airways has made it very clear the airline will compensate any customers for direct financial losses incurred as a result of the breach in data security, so far it has yet to learn of any verified instances of fraud since the original announcement. The airline also confirmed that only those customers who made reward bookings between April 21 and July 28 and who used a payment card could have been affected.
According to a news release from the carrier: “While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution. Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.”
On Thursday October 25, BA confirmed that it was in the process of notifying the holders of another 77,000 payment cards that the name, billing address, email address, card, payment information including card number, expiry date and security codes had potentially been compromised, plus an additional 108,000 without the security code.
The airline also confirmed that this was the most serious attack on its website and app. The attack took place only 15 months after its computer system failed at London Heathrow Airport, stranding 75,000 passengers during a holiday weekend.